API security vulnerabilities, in particular, continue to be a thorn in the side of organizations, with high-severity CVEs now associated with access control flaws.
In the first quarter of 2022, 48 API-related vulnerabilities were discovered and reported, according to a whitepaper published by API security firm Wallarm.
The report (PDF) states that 18 were considered high-risk, while 19 were deemed medium-risk.
Several critical vulnerabilities disclosed publicly were scored between 8.1 and 10 on CVSS v3.
Top API threats
The cybersecurity firm merged OWASP Top 10 and OWASP API Security Top 10 standards to classify the most critical API threat disclosures into broken access controls (or broken function level authorization, depending on OWASP standard) as injection attacks.
There are also security flaws, such as cryptographic failures, insecure designs, excessive data exposure, and misconfigurations. However, the most dangerous, exploited API vulnerabilities in Q1 2022 involve injection attacks, incorrect authorization or complete bypasses, and incorrect permission assignments.
In the first quarter of 2022, CVE-2022-22947 also referred to as ‘Spring4Shell,’ topped the list of four most dangerous API vulnerabilities disclosed.
Spring Shell is vulnerable to two vulnerabilities – CVE-2022-22963, a SpEL expression injection bug in Spring Cloud Function, and CVE-2022-2947, a code injection attack leading to remote code execution (RCE) in Spring Framework’s Java-based Core module.
Despite the developer’s decision to delete the exploit code, the public release of working RCE code resulted in Spring4Shell becoming a headache for developers needing to apply Spring’s emergency patch.
In light of the popularity of Spring Framework, the vulnerability has been compared to Log4j. Almost immediately, Microsoft and CISA warned of active exploitation of the zero-day vulnerability. The Mirai botnet was then created by exploiting the bug.
Technologies targeted at enterprises
Secondly, Veeam Backup and Replication is vulnerable to CVE-2022-26501 (CVSS 9.8), an improper authentication bug that enables attackers to execute arbitrary code remotely without valid authentication credentials. Over 400,000 companies use Veeam, including many enterprises.
Nikita Petrov, a Positive Technologies researcher who disclosed the critical bug along with two others, CVE-2022-26501, had the potential to “be exploited in real attacks and put many organizations at significant risk.”
Zabbix, an enterprise-grade open-source network tool, is also affected by the third flaw, assigned a CVSS score of 9.8. It was found that when SAML SSO authentication was enabled beyond its default setting, the tool’s front end was vulnerable to privilege escalation and admin session hijacking if an attacker knew the admin’s username.
The fourth vulnerability is CVE-2022-24327, which has a CVSS score of 7.8 but is still classified as severe. JetBrains suite hub contained a bug that exposed API keys with excessive permissions, inadvertently exposing developer accounts.
A common denominator in many cyber-attacks today is API security threats, which Wallarm categorizes in its API security threat category. According to Mitre, the issue revolves around the system authorization functionality, which allows critical values to be tampered with and users to access other users’ data or records without permission.
Throughout the history of modern networks and services, APIs have played a critical role in facilitating communication between functions and will also serve as a target for cyber-attackers.
As part of recent API security news, open source hacking tool GoTestWAF has added OWASP and API exploit simulation capabilities for evaluating API security platforms.